Description
| Previous ID | SR-5532 |
| Radar | None |
| Original Reporter | Neon12345 (JIRA User) |
| Type | Bug |
Environment
linux, x86_64
Additional Detail from JIRA
| Votes | 0 |
| Component/s | Compiler, Foundation, Standard Library |
| Labels | Bug |
| Assignee | None |
| Priority | Medium |
md5: a58cdfb1937efc4c817fc1b4e1caa27d
Issue Description:
It seems there is a difference between the size of allocation and deallocation with CFNumber.
==31844== Invalid write of size 1
==31844== at 0x221A3943: memcpy@@GLIBC_2.14 (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==31844== by 0xB4B3B5: swift_deallocObject (in ...)
==31844== by 0xB4C42A: _swift_release_dealloc (in ...)
==31844== by 0xB4D408: bool swift::RefCounts<swift::RefCountBitsT<(swift::RefCountInlinedness)1> >::doDecrementSlow<(swift::ClearPinnedFlag)0, (swift::PerformDeinit)1>(swift::RefCountBitsT<(swift::RefCountInlinedness)1>, unsigned int) (in ...)
==31844== by 0xB4B6A5: swift_release (in ...)
==31844== by 0x1021E87: CFBurstTrieCreate (in ...)
==31844== by 0xE98C69: _CFPropertyListCreateFromUTF8Data (in ...)
==31844== by 0xE99E7F: _CFPropertyListCreateWithData (in ...)
==31844== by 0xE9A837: CFPropertyListCreateFromXMLData (in ...)
==31844== by 0xBF575E: CFTimeZoneCopyAbbreviationDictionary (in ...)
==31844== by 0xBCEB60: _T010Foundation10NSTimeZoneCACSgSS12abbreviation_tcfc (in ...)
==31844== by 0xBCEB35: _T010Foundation10NSTimeZoneCACSgSS12abbreviation_tcfC (in ...)
==31844== Address 0x2b77e1f0 is 0 bytes after a block of size 32 alloc'd
==31844== at 0x2219ECC0: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==31844== by 0xB07B35: swift_slowAlloc (in ...)
==31844== by 0xB4AF67: swift_allocObject (in ...)
==31844== by 0xBC51BC: _CFRuntimeCreateInstance (in ...)
==31844== by 0xF1719A: CFNumberCreate (in ...)
==31844== by 0x1021DE9: CFBurstTrieCreate (in ...)
==31844== by 0xE98C69: _CFPropertyListCreateFromUTF8Data (in ...)
==31844== by 0xE99E7F: _CFPropertyListCreateWithData (in ...)
==31844== by 0xE9A837: CFPropertyListCreateFromXMLData (in ...)
==31844== by 0xBF575E: CFTimeZoneCopyAbbreviationDictionary (in ...)
==31844== by 0xBCEB60: _T010Foundation10NSTimeZoneCACSgSS12abbreviation_tcfc (in ...)
==31844== by 0xBCEB35: _T010Foundation10NSTimeZoneCACSgSS12abbreviation_tcfC (in ...)
==31844==
This happens in CFBurstTrieCreate().
Disassembly of the Numbers destroy func:
_T010Foundation8NSNumberCfD:
0000000000c47c30: push %rbp
0000000000c47c31: mov %rsp,%rbp
0000000000c47c34: mov %r13,%rdi
0000000000c47c37: callq 0xbc5df0 <_CFDeinit>
0000000000c47c3c: callq 0x103df70 <_T010Foundation7NSValueCfd>
0000000000c47c41: mov $0x21,%esi Is this the size to be deleted as 33?
0000000000c47c46: mov $0x7,%edx
0000000000c47c4b: mov %rax,%rdi
0000000000c47c4e: pop %rbp
0000000000c47c4f: jmpq 0xb4c490 <swift_deallocClassInstance>
0000000000c47c54: data16 data16 nopw %cs:0x0(%rax,%rax,1)
in stdlib/public/runtime/HeapObject.cpp:
void swift::swift_deallocObject(HeapObject *object, size_t allocatedSize,
size_t allocatedAlignMask)
...
#ifdef SWIFT_RUNTIME_CLOBBER_FREED_OBJECTS
memset_pattern8((uint8_t *)object + sizeof(HeapObject),
"\xAB\xAD\x1D\xEA\xF4\xEE\xD0\bB9",
allocatedSize - sizeof(HeapObject));
#endif
...in swift-corelibs-foundation/CoreFoundation/NumberDate.subproj/CFNumber.c:
CFNumberRef CFNumberCreate(CFAllocatorRef allocator, CFNumberType type, const void *valuePtr) {
__CFAssertIsValidNumberType(type);
...
CFNumberRef result = (CFNumberRef)_CFRuntimeCreateInstance(allocator, CFNumberGetTypeID(), *size*, NULL);
...